I have my desktop in the office. When X starts, ssh-agent starts automatically. I have to add my SSH key once, at the beginning, and then I can use ssh without having to enter my password each time.

However, when I connect to my desktop via SSH (i.e. from home) the ssh-agent is not accessible and I have to provide my key every time. Also, even if I start a new instance of ssh-agent, I still cannot connect to it.

Is there a way to use ssh-agent on a remote system (to which I am connected via ssh?

2 Answers
2

You can use agent forwarding: make sure to include ForwardAgent yes in your client-side configuration (~/.ssh/config), or use the -A command line option. (This feature can be disabled on the server side (AllowAgentForwarding in sshd_config), but this is only useful for restricted accounts that cannot run arbitrary shell commands.) This way, all the keys from your local machine are available in the remote session. Note that enabling agent forwarding on the client side has security implications: it gives the administrator of the remote machine access to your keys (for example, if you are at A and have a key for B and a key for C, and enable agent forwarding in your connection to B, then this lets B access your keys and hence log into C).

If you want to make the agent from your X session on the office machine available in the SSH sessions from home, then you need to set the SSH_AUTH_SOCK environment variable to point to the same file as in the X session. It's easy enough to do manually:

export SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXXXXXX/agent.12345

where XXXXXXXXXXXX is a random string and 12345 is the PID of the agent process. You can automate this easily if there is a single running agent (find /tmp -maxdepth 1 -user $USER -name 'ssh-*') but detecting which agent you want if there are several is more complicated.

You can extract the value of SSH_AUTH_SOCK from a running process. For example, on Linux, if your window manager is Metacity (the default Gnome window manager):

Alternatively, you can configure your office machine to use a single SSH agent. If the agent is started automatically when you log in, then in most distributions, it won't be started if there is already a variable called SSH_AUTH_SOCK in the environment. So add a definition of SSH_AUTH_SOCK to your ~/.profile or ~/.pam_environment, and manually start ssh-agent if it isn't already started in .profile:

That way you get a new SSH agent instance and a new bash shell with the necessary environment variables set. When you leave the shell with exit or logout, the SSH agent quits as well.

If you have the same keys available in the device you're using directly, you can also use ssh -A to make the local agent accessible to the newly started remote shell. It has some security implications but if you have the key available on both devices anyway, there's no difference.

When you want to connect to an existing agent, you need to set up the relevant environment variables just as they are set up in your graphical shell. It might be convenient to use an autostart facility of your GUI session to store the variables somewhere. You can get the environment variables using env.

env | grep SSH

For accessing the agent, you basically just need SSH_AUTH_SOCK. The SSH_AGENT_PID is used to sending signals to the agent and other SSH variables are used for auxiliary tools.

You can also access environment of other processes via /proc/*/environ. The items are NUL-terminated not LF-terminated, though. I believe the file method is preferable in this case.